Kubei – Kubernetes Runtime Vulnerability Scanner
Kubei is a vulnerabilities scanning tool that allows users to get an accurate and immediate risk assessment of their kubernetes clusters. Kubei scans all images that are being used in a Kubernetes cluster, including images of application pods and system pods. It doesn’t scan the entire image registries and doesn’t require preliminary integration with CI/CD pipelines.

It is a configurable tool which allows users to define the scope of the scan (target namespaces), the speed, and the vulnerabilities level of interest.
It provides a graphical UI which allows the viewer to identify where and what should be replaced, in order to mitigate the discovered vulnerabilities.
The file deploy/kubei.yaml
is used to deploy and configure Kubei on your cluster.
- Set the scan scope. Set the
IGNORE_NAMESPACES
env variable to ignore specific namespaces. SetTARGET_NAMESPACE
to scan a specific namespace, or leave empty to scan all namespaces. - Set the scan speed. Expedite scanning by running parallel scanners. Set the
MAX_PARALLELISM
env variable for the maximum number of simultaneous scanners. - Set severity level threshold. Vulnerabilities with severity level higher than or equal to
SEVERITY_THRESHOLD
threshold will be reported. Supported levels areUnknown
,Negligible
,Low
,Medium
,High
,Critical
,Defcon1
. Default isMedium
. - Set the delete job policy. Set the
DELETE_JOB_POLICY
env variable to define whether or not to delete completed scanner jobs. Supported values are:All
– All jobs will be deleted.Successful
– Only successful jobs will be deleted (default).Never
– Jobs will never be deleted.
You can read more and download this tool over here: https://github.com/Portshift/Kubei